HHS recently announced that it will not impose penalties if business associates disclose protected health information relating to COVID-19 during the public health emergency period. This waiver, announced in a Notification of Enforcement Discretion, applies if the disclosure is for public health and health oversight activities. It will apply, the Office for Civil Rights at HHS explained, even if their business associate agreement with covered entities does not specifically allow for such disclosure if two things hold true. First, that the disclosure or use is made in “good faith” for public health activities and health oversight activities. Second, that the BA informs the covered entity within ten days after the use or disclosure occurs. Examples provided by HHS include BA notifications to public health authorities, such as the CDC, health departments and CMS.
As we reported on in more detail in our healthcare blog, it is important to note that HHS’ notification is not a broad waiver of the use and disclosure requirements of HIPAA. BAs must continue to comply with other provisions of HIPAA.
This notification aligns with the general shift toward deregulation of the healthcare industry during the COVID-19 pandemic. We will continue to monitor regulations surrounding COVID-19 and the healthcare industry to evaluate whether the industry continues down a path of deregulation or if a new series of regulations are imposed following the pandemic’s end.
Putting it Into Practice: With this announcement, HHS has granted greater freedom for BAs to cooperate with and exchange COVID-19-related information with public health and oversight agencies. BAs, however, must still comply with the other provisions of the HIPAA Privacy and Security Rules.
*This alert is provided for information purposes only and does not constitute legal advice and is not intended to form an attorney client relationship. Please contact your Sheppard Mullin attorney contact for additional information.*